049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906

Analysis

max time kernel
133s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe
Size

12.1MB
MD5

0d7f3f3e6bee00211f27a83c89450e4c
SHA1

e06b293da697a265f96943db01a3793f1b28c4ba
SHA256

049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906
SHA512

d7721a5fa0e3680562f07ffb290a6586c356c531efb12262a534880bd408dd59d9ccb072cf7d1acfa6cde6716e85fb47b224353bd6ba6834db3f1873ff5fc60d

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 46 IoCs

Processes:

EXEtender.exeSetup.exeIKernel.exeIKernel.exeiKernel.exeGPlayer.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.exe

pid	process
4620	EXEtender.exe
1388	Setup.exe
5060	IKernel.exe
3840	IKernel.exe
376	iKernel.exe
540	GPlayer.exe
1572	cmhelper.exe
3764	cmhelper.exe
1468	cmhelper.exe
2360	cmhelper.exe
3172	cmhelper.exe
4768	cmhelper.exe
4668	cmhelper.exe
2120	cmhelper.exe
3800	cmhelper.exe
2984	cmhelper.exe
1276	cmhelper.exe
220	cmhelper.exe
3188	cmhelper.exe
3668	cmhelper.exe
3344	cmhelper.exe
4020	cmhelper.exe
3056	cmhelper.exe
3776	cmhelper.exe
2764	cmhelper.exe
2108	cmhelper.exe
3084	cmhelper.exe
904	cmhelper.exe
1088	cmhelper.exe
1160	cmhelper.exe
1328	cmhelper.exe
4504	cmhelper.exe
1472	cmhelper.exe
4376	cmhelper.exe
4620	cmhelper.exe
4316	cmhelper.exe
3400	cmhelper.exe
2220	cmhelper.exe
3948	cmhelper.exe
1368	cmhelper.exe
4868	cmhelper.exe
1840	cmhelper.exe
728	cmhelper.exe
748	cmhelper.exe
4608	cmhelper.exe
4768	cmhelper.exe

Loads dropped DLL 51 IoCs

Processes:

IKernel.exeSetup.exeregsvr32.exeregsvr32.exe049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exeGPlayer.exe

pid	process
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
1388	Setup.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
1512	regsvr32.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
4956	regsvr32.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
3840	IKernel.exe
2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe
2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /runonstartup"	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DependencyCheck = "Performed"	GPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /schedule 300000"	GPlayer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

IKernel.exe

description ioc process

File opened for modification C:\Program Files (x86)\Free Ride Games\Skins\000005\desktop.ini IKernel.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\desktop.ini	IKernel.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
File opened (read-only)	\??\E:	IKernel.exe
File opened (read-only)	\??\O:	IKernel.exe
File opened (read-only)	\??\P:	IKernel.exe
File opened (read-only)	\??\A:	GPlayer.exe
File opened (read-only)	\??\B:	GPlayer.exe
File opened (read-only)	\??\Z:	IKernel.exe
File opened (read-only)	\??\J:	IKernel.exe
File opened (read-only)	\??\K:	IKernel.exe
File opened (read-only)	\??\L:	IKernel.exe
File opened (read-only)	\??\R:	IKernel.exe
File opened (read-only)	\??\Y:	IKernel.exe
File opened (read-only)	\??\H:	IKernel.exe
File opened (read-only)	\??\I:	IKernel.exe
File opened (read-only)	\??\M:	IKernel.exe
File opened (read-only)	\??\Q:	IKernel.exe
File opened (read-only)	\??\T:	IKernel.exe
File opened (read-only)	\??\S:	IKernel.exe
File opened (read-only)	\??\U:	IKernel.exe
File opened (read-only)	\??\V:	IKernel.exe
File opened (read-only)	\??\A:	IKernel.exe
File opened (read-only)	\??\B:	IKernel.exe
File opened (read-only)	\??\F:	IKernel.exe
File opened (read-only)	\??\G:	IKernel.exe
File opened (read-only)	\??\N:	IKernel.exe
File opened (read-only)	\??\W:	IKernel.exe
File opened (read-only)	\??\X:	IKernel.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

IKernel.exeGPlayer.exe

description ioc process

File opened for modification \??\PhysicalDrive0 IKernel.exe
File opened for modification \??\PhysicalDrive0 GPlayer.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	IKernel.exe
File opened for modification	\??\PhysicalDrive0	GPlayer.exe

Drops file in System32 directory 31 IoCs

Processes:

DrvInst.exeDrvInst.exeIKernel.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\x7xsex.inf_amd64_cf24f944d6a42a21\X7XSEx.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}\SETFEA9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}\SETF8CD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}\X7Ex.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}\X7XSEx.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}\X7XSEx.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}\SETF8DE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}\SETFE98.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\x7ex.inf_amd64_2fdf677cf098e44c\X7Ex.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\x7ex.inf_amd64_2fdf677cf098e44c\X7Ex.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\vtdi.386	IKernel.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\x7xsex.inf_amd64_cf24f944d6a42a21\X7XSEx.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\x7xsex.inf_amd64_cf24f944d6a42a21\X7XSEx.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}\SETFEBA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}\SETF8CD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}\X7Ex.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}\X7Ex.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}\SETF8DE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\x7ex.inf_amd64_2fdf677cf098e44c\X7Ex.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}\SETFEBA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}\SETFE98.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}\X7XSEx.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}\SETF8BC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{cc2e265b-75f2-6e45-aaa7-aeb0161ca7db}\SETFEA9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8c02153c-dfd6-9b4a-9253-79ed879969e7}\SETF8BC.tmp	DrvInst.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe

description	pid	process	target process
PID 2340 set thread context of 2124	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\mikado_font\2DCCd6cd.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\btn\ok_2.gif	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\masks\login_splash.gif	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\tabsBg.jpg	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\X8ex.cat	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Info\sXp.dat	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\report.ini	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\GameInfoDefault\splad3ef.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\yesbe3fc.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Info\*.rgmxold	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\btn\hideinfo_1.gif	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\gameInfo\playda48.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Upgrades\EI.	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\temp.	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\IGL\13000090\cef\swiftshader\libGLESv2.dll	GPlayer.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\X8Ex.inf	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Info\*.dat	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\mikado_font\2DCCC2_1_0.ttf	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\btn\ok_0d8b1.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\dialogBox\logoDialogBox.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\106.png	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\liced14f.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\login.css	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Data\version.tmp.http.tmp	GPlayer.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\gameInfo\righda76.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\FRGLe208.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\IGL\13000090\d3d8.elf	GPlayer.exe
File created	C:\Program Files (x86)\Free Ride Games\whd1cc.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\splad69e.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\gplayer\gplayer_api_notification.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\adGad611.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\dl_in.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\Langs\0409\Strie275.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\X4Ex.sys	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\cls_game.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\prvdd556.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\mikado_font\2DCCd6dd.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\nobue36f.rra	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\IScript\iscrb5f7.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\cls_d47b.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\FRGLe209.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\button.jpg	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\masks\banner_on_1_buttons.gif	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\gamed66f.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\pl\pl_gametanium.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\ExentComponents.ini	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\*.Log	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\prvd_Skin.html.bak	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\carod631.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\mg_in.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\search_hover.png	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\mask\erroe285.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\13000090\CrashDump15.dll	GPlayer.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\dialogBox\bgRid8e0.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\preRoll\close_over.gif	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\icon_no_games.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\SubscriptionMyGamesTab.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\pl\pl_intro.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\GameInfoDefault\Gamed3ef.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\preRoll\inviddb3.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\29ddddd2.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\noMyGamesScreen.jpg	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\preme0a1.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\pl\pl_download_list.js	IKernel.exe

Drops file in Windows directory 18 IoCs

Processes:

DrvInst.exeIKernel.exeDrvInst.exePnpUtil.exePnpUtil.exesvchost.exe

description	ioc	process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\GPlrLanc.dat	IKernel.exe
File opened for modification	C:\Windows\X3.vxd	IKernel.exe
File opened for modification	C:\Windows\Downloaded Program Files\ExentCtl.ocx	IKernel.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Exend352.rra	IKernel.exe
File created	C:\Windows\Downloaded Program Files\Exene42b.rra	IKernel.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	PnpUtil.exe
File created	C:\Windows\FRGN7ff.rra	IKernel.exe
File opened for modification	C:\Windows\ExentInfo.exe	IKernel.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	PnpUtil.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Glutil.exe	IKernel.exe
File opened for modification	C:\Windows\FRGN.ico	IKernel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DrvInst.exesvchost.exeDrvInst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	IKernel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	IKernel.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	GPlayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GPlayer.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

regedit.exeregedit.exeregedit.exeIKernel.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GtrHost.exe = "9999"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\gplayer.exe = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GtrHost.exe = "9999"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\Policy = "3"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Gplayer.exe = "10001"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\AppName = "GPlayer.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	IKernel.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\AppPath	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Gplayer.exe = "10001"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\AppPath = "C:\\Program Files (x86)\\Free Ride Games"	IKernel.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDrvInst.exeIKernel.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	IKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	IKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	IKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	IKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	IKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19	IKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	IKernel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

IKernel.exeIKernel.exeregedit.exeiKernel.exeregedit.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ = "ISetupShell"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\ProgID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\Software\Classes\GameTreatWidget.GameTreatWidget.1	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupComponents"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\VersionIndependentProgID	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel	iKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptObjectWrapper	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ = "ISetupFileErrorInfo"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EXEtender\Shell\Open	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Mime	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\ProgID	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\InprocServer32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\FLAGS\ = "0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	IKernel.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C1FD39-F2D3-50C9-AA6E-662D0EB26128}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ = "ISetupRegistry"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Applications	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\0	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\HELPDIR	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ = "ISetupWindowText"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ = "ISetupWindowImage"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\ = "InstallShield Script Engine"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\ = "InstallShield Script 1.0 Type Library"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A060447-60F9-11D5-A6CD-0002B31F7455}\ = "IExentInf"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\IScript\\"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\VersionIndependentProgID\ = "Setup.Kernel"	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptObjectWrapper.1	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\engine\\6\\Intel 32\\objectps.dll"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel.1\ = "InstallShield setup kernel"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A060448-60F9-11D5-A6CD-0002B31F7455}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44d07caa-4fc4-5a84-9951-a485ad808d0e}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe

Runs .reg file with regedit 3 IoCs

Processes:

regedit.exeregedit.exeregedit.exe

pid process

4168 regedit.exe
1400 regedit.exe
4952 regedit.exe

pid	process
4168	regedit.exe
1400	regedit.exe
4952	regedit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

GPlayer.exe

pid	process
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

648
648
648
648
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeAuditPrivilege 224 svchost.exe
Token: SeSecurityPrivilege 224 svchost.exe

pid	process
648
648
648
648

description	pid	process
Token: SeAuditPrivilege	224	svchost.exe
Token: SeSecurityPrivilege	224	svchost.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

GPlayer.exe

pid	process
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

GPlayer.exe

pid	process
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe
540	GPlayer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

GPlayer.exe

pid process

540 GPlayer.exe
540 GPlayer.exe
540 GPlayer.exe
540 GPlayer.exe
540 GPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exeEXEtender.exeSetup.exeIKernel.exeregsvr32.exesvchost.exeGPlayer.execmhelper.execmhelper.execmhelper.execmhelper.exe

description	pid	process	target process
PID 2340 wrote to memory of 4620	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 2340 wrote to memory of 4620	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 2340 wrote to memory of 4620	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 4620 wrote to memory of 1388	4620	EXEtender.exe	Setup.exe
PID 4620 wrote to memory of 1388	4620	EXEtender.exe	Setup.exe
PID 4620 wrote to memory of 1388	4620	EXEtender.exe	Setup.exe
PID 1388 wrote to memory of 5060	1388	Setup.exe	IKernel.exe
PID 1388 wrote to memory of 5060	1388	Setup.exe	IKernel.exe
PID 1388 wrote to memory of 5060	1388	Setup.exe	IKernel.exe
PID 3840 wrote to memory of 376	3840	IKernel.exe	iKernel.exe
PID 3840 wrote to memory of 376	3840	IKernel.exe	iKernel.exe
PID 3840 wrote to memory of 376	3840	IKernel.exe	iKernel.exe
PID 3840 wrote to memory of 1512	3840	IKernel.exe	regsvr32.exe
PID 3840 wrote to memory of 1512	3840	IKernel.exe	regsvr32.exe
PID 3840 wrote to memory of 1512	3840	IKernel.exe	regsvr32.exe
PID 3840 wrote to memory of 4168	3840	IKernel.exe	regedit.exe
PID 3840 wrote to memory of 4168	3840	IKernel.exe	regedit.exe
PID 3840 wrote to memory of 4168	3840	IKernel.exe	regedit.exe
PID 3840 wrote to memory of 4956	3840	IKernel.exe	regsvr32.exe
PID 3840 wrote to memory of 4956	3840	IKernel.exe	regsvr32.exe
PID 3840 wrote to memory of 4956	3840	IKernel.exe	regsvr32.exe
PID 4956 wrote to memory of 3048	4956	regsvr32.exe	PnpUtil.exe
PID 4956 wrote to memory of 3048	4956	regsvr32.exe	PnpUtil.exe
PID 224 wrote to memory of 4348	224	svchost.exe	DrvInst.exe
PID 224 wrote to memory of 4348	224	svchost.exe	DrvInst.exe
PID 4956 wrote to memory of 3712	4956	regsvr32.exe	PnpUtil.exe
PID 4956 wrote to memory of 3712	4956	regsvr32.exe	PnpUtil.exe
PID 224 wrote to memory of 4208	224	svchost.exe	DrvInst.exe
PID 224 wrote to memory of 4208	224	svchost.exe	DrvInst.exe
PID 3840 wrote to memory of 1400	3840	IKernel.exe	regedit.exe
PID 3840 wrote to memory of 1400	3840	IKernel.exe	regedit.exe
PID 3840 wrote to memory of 1400	3840	IKernel.exe	regedit.exe
PID 3840 wrote to memory of 4952	3840	IKernel.exe	regedit.exe
PID 3840 wrote to memory of 4952	3840	IKernel.exe	regedit.exe
PID 3840 wrote to memory of 4952	3840	IKernel.exe	regedit.exe
PID 2340 wrote to memory of 540	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	GPlayer.exe
PID 2340 wrote to memory of 540	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	GPlayer.exe
PID 2340 wrote to memory of 540	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	GPlayer.exe
PID 2340 wrote to memory of 2124	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	explorer.exe
PID 2340 wrote to memory of 2124	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	explorer.exe
PID 2340 wrote to memory of 2124	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	explorer.exe
PID 2340 wrote to memory of 2124	2340	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	explorer.exe
PID 540 wrote to memory of 1572	540	GPlayer.exe	cmhelper.exe
PID 540 wrote to memory of 1572	540	GPlayer.exe	cmhelper.exe
PID 540 wrote to memory of 1572	540	GPlayer.exe	cmhelper.exe
PID 3764 wrote to memory of 1468	3764	cmhelper.exe	cmhelper.exe
PID 3764 wrote to memory of 1468	3764	cmhelper.exe	cmhelper.exe
PID 3764 wrote to memory of 1468	3764	cmhelper.exe	cmhelper.exe
PID 540 wrote to memory of 2360	540	GPlayer.exe	cmhelper.exe
PID 540 wrote to memory of 2360	540	GPlayer.exe	cmhelper.exe
PID 540 wrote to memory of 2360	540	GPlayer.exe	cmhelper.exe
PID 3172 wrote to memory of 4768	3172	cmhelper.exe	cmhelper.exe
PID 3172 wrote to memory of 4768	3172	cmhelper.exe	cmhelper.exe
PID 3172 wrote to memory of 4768	3172	cmhelper.exe	cmhelper.exe
PID 540 wrote to memory of 4668	540	GPlayer.exe	cmhelper.exe
PID 540 wrote to memory of 4668	540	GPlayer.exe	cmhelper.exe
PID 540 wrote to memory of 4668	540	GPlayer.exe	cmhelper.exe
PID 4668 wrote to memory of 2120	4668	cmhelper.exe	cmhelper.exe
PID 4668 wrote to memory of 2120	4668	cmhelper.exe	cmhelper.exe
PID 4668 wrote to memory of 2120	4668	cmhelper.exe	cmhelper.exe
PID 540 wrote to memory of 3800	540	GPlayer.exe	cmhelper.exe
PID 540 wrote to memory of 3800	540	GPlayer.exe	cmhelper.exe
PID 540 wrote to memory of 3800	540	GPlayer.exe	cmhelper.exe
PID 2984 wrote to memory of 1276	2984	cmhelper.exe	cmhelper.exe

C:\Users\Admin\AppData\Local\Temp\049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe
"C:\Users\Admin\AppData\Local\Temp\049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe
  "C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
      "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:5060
- C:\Program Files (x86)\Free Ride Games\GPlayer.exe
  "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" "-shortcut http://www.freeridegames.com/opTools/getRGMX.jsp?PrvId=143&AppId=521450&RunIndex=1&AcID=&OpenShInIE=0&PrvDir=Default"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UHR
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPR
    3⤵
    - Executes dropped EXE
    PID:2360
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    ER
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
      R
      4⤵
      Executes dropped EXE
      PID:2120
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UHR
    3⤵
    - Executes dropped EXE
    PID:3800
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPR
    3⤵
    - Executes dropped EXE
    PID:220
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    ER
    3⤵
    - Executes dropped EXE
    PID:3344
  - - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
      R
      4⤵
      Executes dropped EXE
      PID:4020
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UHW
    3⤵
    - Executes dropped EXE
    PID:3056
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPW
    3⤵
    - Executes dropped EXE
    PID:2108
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    EW
    3⤵
    - Executes dropped EXE
    PID:1088
  - - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
      W
      4⤵
      Executes dropped EXE
      PID:1160
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UHW
    3⤵
    - Executes dropped EXE
    PID:1328
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPW
    3⤵
    - Executes dropped EXE
    PID:4376
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    EW
    3⤵
    - Executes dropped EXE
    PID:3400
  - - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
      W
      4⤵
      Executes dropped EXE
      PID:2220
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UHW
    3⤵
    - Executes dropped EXE
    PID:3948
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPW
    3⤵
    - Executes dropped EXE
    PID:1840
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    EW
    3⤵
    - Executes dropped EXE
    PID:4608
  - - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
      W
      4⤵
      Executes dropped EXE
      PID:4768
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  PID:2124

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
  "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:376
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\Downloaded Program Files\ExentCtl.ocx"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1512
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Program Files (x86)\Free Ride Games\NPGameTreatPlugin.reg"
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Runs .reg file with regedit
  PID:4168
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\system32\PnpUtil.exe
    "C:\Windows\system32\PnpUtil.exe" -a "C:\Program Files (x86)\Free Ride Games\X7XSEx.Inf"
    3⤵
    - Drops file in Windows directory
    PID:3048
- - C:\Windows\system32\PnpUtil.exe
    "C:\Windows\system32\PnpUtil.exe" -a "C:\Program Files (x86)\Free Ride Games\X7Ex.Inf"
    3⤵
    - Drops file in Windows directory
    PID:3712
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Program Files (x86)\Free Ride Games\EXEtenderDefaults.reg"
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Runs .reg file with regedit
  PID:1400
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Program Files (x86)\Free Ride Games\EXEtenderDefaultsProvider.reg"
  2⤵
  - Modifies Internet Explorer settings
  - Runs .reg file with regedit
  PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{317e92ba-9e45-064c-9ac3-c3cb2df15e33}\X7XSEx.inf" "9" "45e27dcb3" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\Free Ride Games"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4348
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a8def5cf-35ec-614f-bdff-eabad749e7fd}\X7Ex.inf" "9" "40f416ea7" "0000000000000164" "WinSta0\Default" "0000000000000100" "208" "C:\Program Files (x86)\Free Ride Games"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4208

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" HR
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  R
  2⤵
  - Executes dropped EXE
  PID:1468

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PR
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  R
  2⤵
  - Executes dropped EXE
  PID:4768

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" HR
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  R
  2⤵
  - Executes dropped EXE
  PID:1276

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PR
1⤵
- Executes dropped EXE
PID:3188
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  R
  2⤵
  - Executes dropped EXE
  PID:3668

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" HW
1⤵
- Executes dropped EXE
PID:3776
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:2764

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PW
1⤵
- Executes dropped EXE
PID:3084
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:904

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" HW
1⤵
- Executes dropped EXE
PID:4504
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:1472

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PW
1⤵
- Executes dropped EXE
PID:4620
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:4316

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" HW
1⤵
- Executes dropped EXE
PID:1368
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:4868

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PW
1⤵
- Executes dropped EXE
PID:728
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\FREERI~1\X7Ex.cat

Filesize
9KB

MD5
4db0d9102544cc0e46b5870782de5c6a

SHA1
9da212dd1c6c6cfa78bc50a338a3209de3c7e93a

SHA256
c8120e78026d34e4ab15c36e900dfdc346a1ea0150dfa17739583248aba02a53

SHA512
7397d5e4736a94a73e2198a3f20215060373e75da73363c9ed4c6429806588453ca4d58fb43a190ae8b3dbe70a382a8f8d952f05b03965e9169c922fdf0fb05d

Download Submit
C:\PROGRA~2\FREERI~1\X7Ex.sys

Filesize
588KB

MD5
1187d17d865d241a6fda5e6b39ef31fb

SHA1
80e1b557595a752bd156b88da6d1cb3d8a6f3108

SHA256
23d4427ea4984282df10ac5d8d6b5e16292ea51768b39abca679664a6a4dc64f

SHA512
feaca6289e4f6fab03789b704f1d94d3fd7eb84461397b9493efb42bb7077b932775012cef253e173d9718afd3c6fd85b33a9500cb467d181c38dc92ad347907

Download Submit
C:\PROGRA~2\FREERI~1\X7XSEx.cat

Filesize
11KB

MD5
27ba46f456a79f8cab37d1bba6ea13e0

SHA1
7b4c7cbdcdea54158671731273f1cc2fe4a95ec4

SHA256
07faaa44a1c9c186c3ed0c6efa3607397e9c1a3f9ef85323260f70a7afef0996

SHA512
f44630597d6e1d3343e74a355796fafbffc2e526785df4e9cd0d7deb1ca950f152deed5b84ff66c47794f1e491786ab671970054e3156568ccad162d99c800d0

Download Submit
C:\PROGRA~2\FREERI~1\X7XSEx.sys

Filesize
66KB

MD5
6bd48128d2e0595ea63f68bdbc6e1e6a

SHA1
803e5c16564c1dd08f16e430f39733bc815567b9

SHA256
07e8a6790b173eb9a2a028744373af973d0f611e23380c916806ed387c2b7def

SHA512
2e663fe4003ccf155a44522f182e2710baa59668cd5e0a0f643cf33861ea0d7f667f9e45867d109648c615446afea76eb5815a7f03da211dcd560813b3090504

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll

Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
C:\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll

Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
C:\Program Files (x86)\Free Ride Games\ClientCfg.xml

Filesize
262B

MD5
33092f70ea80bc968eee80de9ad4c453

SHA1
91489ce57d4f22ce5b401080b0dd091f5e36be82

SHA256
de5727fdd8d46c40dcb9c200234cf941a355b67314c00fa7d64495e57f3cb0f0

SHA512
45090e61202ed292dadb33daf422fe3d8e3f0515322b225baa7652319519e0ed1d221170cdee10aca755fbecba7cc64d8eea8389586bbfb056a43133d40c6647

Download Submit
C:\Program Files (x86)\Free Ride Games\NPGameTreatPlugin.reg

Filesize
10KB

MD5
a967a8514d0ad555b80e10b86d2c4ea9

SHA1
0f05f75587cd5a15a7b3a2bb980daf956e9ab99e

SHA256
142633c50dbeea509b3c1ff7c32223b227a40036c77361e0d0474316a9e63849

SHA512
cd9834292e008a4c15724c2c5eafb1a2cad6c50f9d889d269d8cf723f6556ac509db9be51fcb799a1e43570cef4a8fd4e681b08d9d77e1ae90118e423cba976a

Download Submit
C:\Program Files (x86)\Free Ride Games\X7Ex.inf

Filesize
1KB

MD5
4e7d28c8b8496f35ec235adb3571ae64

SHA1
118e6a979dbcdfa5863ce974190c1260b46849f7

SHA256
f00b4536d622b970d25174dc80a34136ecf9d6cbf2b2c2084085319e24d39a50

SHA512
935a2199593d946765b17526a4b055cd140478449f1ff5301398019d67624678bba75a38d4619950d483ccfd2d84e3882e58a5578c7a455e9e640476e5319cd6

Download Submit
C:\Program Files (x86)\Free Ride Games\X7XSEx.inf

Filesize
1KB

MD5
4766e4df0c340690eaae05515f3f1bbc

SHA1
0d4ab75ee90046805f80940e1a78ecf67faf8533

SHA256
4bdffd01a995ce88c3fd7f47e9919e5145dec20dd467200ae5b22d7878024a1f

SHA512
88e6623a6c2254e2941414ff50b8061b389b5922063609a7c91812b39ed73db4865e06877d2b0309727e1d9ae76ed1763c10ff95c13204eefae678f8ef3046c7

Download Submit
C:\Program Files (x86)\Free Ride Games\exs.dll

Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
C:\Program Files (x86)\Free Ride Games\exs.dll

Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
C:\Program Files (x86)\Free Ride Games\exs.dll

Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
C:\Program Files (x86)\Free Ride Games\exs.dll

Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe

Filesize
12.3MB

MD5
2604c1d5fc21e1782c999d0c84c7cf07

SHA1
8a8e330b26ed27c06e31cd501213c71c4586b0dc

SHA256
182db0c9db91176d611bdd8f5d8592d66a98d3527d843f1c66bca0b6930b1726

SHA512
7fa930e47eefa386f9ee63800444bb9d5866088c7ecf8ed1b7c3a1b269d998c4ba1ebccc8fd23735dd794cdbd14f03ebd5ae9dd2fdfd12c6f02a37455b7302b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe

Filesize
12.3MB

MD5
2604c1d5fc21e1782c999d0c84c7cf07

SHA1
8a8e330b26ed27c06e31cd501213c71c4586b0dc

SHA256
182db0c9db91176d611bdd8f5d8592d66a98d3527d843f1c66bca0b6930b1726

SHA512
7fa930e47eefa386f9ee63800444bb9d5866088c7ecf8ed1b7c3a1b269d998c4ba1ebccc8fd23735dd794cdbd14f03ebd5ae9dd2fdfd12c6f02a37455b7302b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\IKernel.ex_

Filesize
343KB

MD5
3214f45b155a8d5a26ee2f4dd93eaf73

SHA1
44a2e6e23a7c8167a7c36597d3e4714ef09f0f7e

SHA256
716cf59211259e00acb40481da02728264bc8948206b2153e96ddeae6e230dee

SHA512
064bf3728179657be4872d5b4d15cf7b4a605afc636fd55a4313bd96804a1b7e0b9f730a7a5df40841125e5ec465e1c195b673f1ee0700eebb864a90cce29b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\Setup.exe

Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\Setup.exe

Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\data1.cab

Filesize
498KB

MD5
1f5cb19bd50f9caa8b4a1f846a98dde8

SHA1
e454bcebab9865fca0d3e5dbddc81aaee828f8e7

SHA256
aff20289c501a3899e403c11138aca0e002c7becf0734d8bd135860fa7a8fbe6

SHA512
9e1a35f75043638da64598952d59faab979f0c86ab3675bc421ef6aa8140fc83713a095296189ffecd3b05e68693032daeba27d7ad48f8df7b4c8014a5999cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\data2.cab

Filesize
10.5MB

MD5
f66cf7b9886dde614857bb56e450966b

SHA1
42adecdd87f2ebe6a17044c8fad7115e9dab7bcd

SHA256
ffe81219f555ee4352c5c96ecceb4ee4b85d0f650c8e5243c102cf54ccc0e7c5

SHA512
3fd228bcd801ae9b21f5adaa21032589b3ddc571666dbe684e107a342b05cd15c12e2798ace38da43842a168088d45845233b4bca297cbb11f2610a52aea8188

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\layout.bin

Filesize
417B

MD5
ae7db797f4f7855091079f0841fce3ea

SHA1
2832dd3bdf894641688e05a9ee09d1fe9e2ead62

SHA256
64b0eb64395fbc22b8d54895318a81d5d2abe6e4045cb04641d75155cb869a47

SHA512
5a29ad7145928623a1fe4c932a6dbb0459c2c4a5046fa09effe04d38fd09b270cc1075aaf5d65d6405d673910d5ce1aac19daf2ce09f18bbb5813ecdf997b2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\setup.ini

Filesize
2KB

MD5
84320a31550309b8cc2ddf3c3c00f975

SHA1
3affa5e03b8dae2de23e1807ef1f583fdf781701

SHA256
4f08bacb598278136b61c4f01221b3061489a5c886f9634f26348254571ca8cc

SHA512
0547af5ae9858345161ee6468ab2f7b3011ab5f1bca7c6e577c7e37d1b41788fbdea159032728291fdfb123ef9c0b870678a517ce77e8ab6884bfbf89be86c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftACE1.tmp\setup.inx

Filesize
389KB

MD5
b4d6c93644f48e1e7a466c5c62caae5a

SHA1
787973d54704815e79054f58df7e0f10a2fd3726

SHA256
4e53d8ec2a0398980c6d4a959a139acbb74beac415ee5d61c0ee1e5d0fc9d739

SHA512
81c28ff24d019ccc371a79999b1855de396ade2a5abeffb3939b2e7a6a12d0604c19d315972072c9eeb2f532cc5646bf52a1e5572ba21558242812b4607b2495

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2b7bdadb-ec8c-4c54-b5dd-ce45a016d3a7}\_IsRes.dll

Filesize
252KB

MD5
48ea604d4fa7d9af5b121c04db6a2fec

SHA1
dc3c04977106bc1fbf1776a6b27899d7b81fb937

SHA256
cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b

SHA512
9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2b7bdadb-ec8c-4c54-b5dd-ce45a016d3a7}\_IsRes.dll

Filesize
252KB

MD5
48ea604d4fa7d9af5b121c04db6a2fec

SHA1
dc3c04977106bc1fbf1776a6b27899d7b81fb937

SHA256
cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b

SHA512
9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2b7bdadb-ec8c-4c54-b5dd-ce45a016d3a7}\isrt.dll

Filesize
324KB

MD5
61c056d2df7ab769d6fd801869b828a9

SHA1
4213d0395692fa4181483ffb04eef4bda22cceee

SHA256
148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66

SHA512
a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2b7bdadb-ec8c-4c54-b5dd-ce45a016d3a7}\isrt.dll

Filesize
324KB

MD5
61c056d2df7ab769d6fd801869b828a9

SHA1
4213d0395692fa4181483ffb04eef4bda22cceee

SHA256
148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66

SHA512
a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172

Download Submit
C:\Users\Admin\AppData\Local\Temp\{317E9~1\X7XSEx.cat

Filesize
11KB

MD5
27ba46f456a79f8cab37d1bba6ea13e0

SHA1
7b4c7cbdcdea54158671731273f1cc2fe4a95ec4

SHA256
07faaa44a1c9c186c3ed0c6efa3607397e9c1a3f9ef85323260f70a7afef0996

SHA512
f44630597d6e1d3343e74a355796fafbffc2e526785df4e9cd0d7deb1ca950f152deed5b84ff66c47794f1e491786ab671970054e3156568ccad162d99c800d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{317E9~1\X7XSEx.sys

Filesize
66KB

MD5
6bd48128d2e0595ea63f68bdbc6e1e6a

SHA1
803e5c16564c1dd08f16e430f39733bc815567b9

SHA256
07e8a6790b173eb9a2a028744373af973d0f611e23380c916806ed387c2b7def

SHA512
2e663fe4003ccf155a44522f182e2710baa59668cd5e0a0f643cf33861ea0d7f667f9e45867d109648c615446afea76eb5815a7f03da211dcd560813b3090504

Download Submit
C:\Users\Admin\AppData\Local\Temp\{317e92ba-9e45-064c-9ac3-c3cb2df15e33}\X7XSEx.inf

Filesize
1KB

MD5
4766e4df0c340690eaae05515f3f1bbc

SHA1
0d4ab75ee90046805f80940e1a78ecf67faf8533

SHA256
4bdffd01a995ce88c3fd7f47e9919e5145dec20dd467200ae5b22d7878024a1f

SHA512
88e6623a6c2254e2941414ff50b8061b389b5922063609a7c91812b39ed73db4865e06877d2b0309727e1d9ae76ed1763c10ff95c13204eefae678f8ef3046c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A8DEF~1\X7Ex.cat

Filesize
9KB

MD5
4db0d9102544cc0e46b5870782de5c6a

SHA1
9da212dd1c6c6cfa78bc50a338a3209de3c7e93a

SHA256
c8120e78026d34e4ab15c36e900dfdc346a1ea0150dfa17739583248aba02a53

SHA512
7397d5e4736a94a73e2198a3f20215060373e75da73363c9ed4c6429806588453ca4d58fb43a190ae8b3dbe70a382a8f8d952f05b03965e9169c922fdf0fb05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A8DEF~1\X7Ex.sys

Filesize
588KB

MD5
1187d17d865d241a6fda5e6b39ef31fb

SHA1
80e1b557595a752bd156b88da6d1cb3d8a6f3108

SHA256
23d4427ea4984282df10ac5d8d6b5e16292ea51768b39abca679664a6a4dc64f

SHA512
feaca6289e4f6fab03789b704f1d94d3fd7eb84461397b9493efb42bb7077b932775012cef253e173d9718afd3c6fd85b33a9500cb467d181c38dc92ad347907

Download Submit
C:\Users\Admin\AppData\Local\Temp\{a8def5cf-35ec-614f-bdff-eabad749e7fd}\X7Ex.inf

Filesize
1KB

MD5
4e7d28c8b8496f35ec235adb3571ae64

SHA1
118e6a979dbcdfa5863ce974190c1260b46849f7

SHA256
f00b4536d622b970d25174dc80a34136ecf9d6cbf2b2c2084085319e24d39a50

SHA512
935a2199593d946765b17526a4b055cd140478449f1ff5301398019d67624678bba75a38d4619950d483ccfd2d84e3882e58a5578c7a455e9e640476e5319cd6

Download Submit
C:\Windows\Downloaded Program Files\ExentCtl.ocx

Filesize
398KB

MD5
9c63a99b4216a82a6754ff170a3cdb02

SHA1
8105e1faed19b7fedc02fd3fa7e72755ecaf6209

SHA256
47cba3d1af9af3b72db733336567bd80a422b04e89c5327390d5a143c394ea8f

SHA512
499da0abf3369bbfec4b584ef6935ef4df50c09d5fdb834db704a587dd1e817b2efe4907cc89f74119021adcc70529330a2f0bae02bb90733fdee58726c0add8

Download Submit
C:\Windows\Downloaded Program Files\ExentCtl.ocx

Filesize
398KB

MD5
9c63a99b4216a82a6754ff170a3cdb02

SHA1
8105e1faed19b7fedc02fd3fa7e72755ecaf6209

SHA256
47cba3d1af9af3b72db733336567bd80a422b04e89c5327390d5a143c394ea8f

SHA512
499da0abf3369bbfec4b584ef6935ef4df50c09d5fdb834db704a587dd1e817b2efe4907cc89f74119021adcc70529330a2f0bae02bb90733fdee58726c0add8

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
149KB

MD5
4a9ac587db4a7590a903ece98d8c08d6

SHA1
c5baa48d9c7924fd7b0b67478f252bcbe0174fc0

SHA256
c0ecdb555a355e6b56766aacb6137cea14561ba279934105ba9efe8dc42b1d26

SHA512
8001366eefb62baa182cdb4e8aed915d48e086f17c2e3e9ad6c7bcf847b4de35397b2d13717355b4c7fd738057aced6b5c0467bb8f1844c8c7723ea4d2742ca9

Download Submit
C:\Windows\System32\DriverStore\FileRepository\x7xsex.inf_amd64_cf24f944d6a42a21\x7xsex.inf

Filesize
1KB

MD5
4766e4df0c340690eaae05515f3f1bbc

SHA1
0d4ab75ee90046805f80940e1a78ecf67faf8533

SHA256
4bdffd01a995ce88c3fd7f47e9919e5145dec20dd467200ae5b22d7878024a1f

SHA512
88e6623a6c2254e2941414ff50b8061b389b5922063609a7c91812b39ed73db4865e06877d2b0309727e1d9ae76ed1763c10ff95c13204eefae678f8ef3046c7

Download Submit
\??\c:\users\admin\appdata\local\temp\pftace1.tmp\data1.hdr

Filesize
67KB

MD5
24aa2f11f07a6741e5cba0c77fbe41f7

SHA1
814b78b7d9e2ac36bc903af06c2e00e74b04c137

SHA256
276f1904a5a29eded951caabb832b5a1494a4fe1f957a24320f2f5234a665048

SHA512
a2e65f0f1364fe61cb4cda85718d843b21efe5455b5443946710c7a9ceb41fa491667af788cbb7852a3ed70fab5d98dd91499964e50a20ee1a8dfc4411b621fe

Download Submit
memory/220-259-0x0000000000000000-mapping.dmp

Download
memory/376-151-0x0000000000000000-mapping.dmp

Download
memory/540-251-0x000000000CC00000-0x000000000CC64000-memory.dmp

Filesize
400KB

Download
memory/540-237-0x0000000000000000-mapping.dmp

Download
memory/540-239-0x0000000002810000-0x000000000285A000-memory.dmp

Filesize
296KB

Download
memory/540-253-0x000000000CE70000-0x000000000D083000-memory.dmp

Filesize
2.1MB

Download
memory/748-290-0x0000000000000000-mapping.dmp

Download
memory/904-270-0x0000000000000000-mapping.dmp

Download
memory/1088-271-0x0000000000000000-mapping.dmp

Download
memory/1160-272-0x0000000000000000-mapping.dmp

Download
memory/1160-273-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1276-257-0x00000000009E0000-0x0000000000A1A000-memory.dmp

Filesize
232KB

Download
memory/1276-256-0x0000000000000000-mapping.dmp

Download
memory/1328-275-0x0000000000000000-mapping.dmp

Download
memory/1388-133-0x0000000000000000-mapping.dmp

Download
memory/1400-231-0x0000000000000000-mapping.dmp

Download
memory/1468-242-0x0000000000000000-mapping.dmp

Download
memory/1468-243-0x0000000000340000-0x000000000037A000-memory.dmp

Filesize
232KB

Download
memory/1472-276-0x0000000000000000-mapping.dmp

Download
memory/1472-277-0x00000000004C0000-0x00000000004FA000-memory.dmp

Filesize
232KB

Download
memory/1512-186-0x0000000000000000-mapping.dmp

Download
memory/1572-241-0x0000000000000000-mapping.dmp

Download
memory/1840-289-0x0000000000000000-mapping.dmp

Download
memory/2108-269-0x0000000000000000-mapping.dmp

Download
memory/2120-249-0x0000000000A00000-0x0000000000A3A000-memory.dmp

Filesize
232KB

Download
memory/2120-248-0x0000000000000000-mapping.dmp

Download
memory/2124-238-0x0000000000000000-mapping.dmp

Download
memory/2220-282-0x0000000000000000-mapping.dmp

Download
memory/2220-283-0x0000000000040000-0x000000000007A000-memory.dmp

Filesize
232KB

Download
memory/2360-245-0x0000000000000000-mapping.dmp

Download
memory/2764-267-0x0000000000600000-0x000000000063A000-memory.dmp

Filesize
232KB

Download
memory/2764-266-0x0000000000000000-mapping.dmp

Download
memory/3048-203-0x0000000000000000-mapping.dmp

Download
memory/3056-265-0x0000000000000000-mapping.dmp

Download
memory/3344-261-0x0000000000000000-mapping.dmp

Download
memory/3400-281-0x0000000000000000-mapping.dmp

Download
memory/3668-260-0x0000000000000000-mapping.dmp

Download
memory/3712-212-0x0000000000000000-mapping.dmp

Download
memory/3800-255-0x0000000000000000-mapping.dmp

Download
memory/3840-222-0x00000000072C0000-0x00000000073F5000-memory.dmp

Filesize
1.2MB

Download
memory/3840-221-0x00000000072C1000-0x000000000739C000-memory.dmp

Filesize
876KB

Download
memory/3840-175-0x00000000053D0000-0x0000000005475000-memory.dmp

Filesize
660KB

Download
memory/3840-235-0x00000000072C0000-0x0000000007365000-memory.dmp

Filesize
660KB

Download
memory/3840-193-0x00000000072C0000-0x0000000007365000-memory.dmp

Filesize
660KB

Download
memory/3840-169-0x0000000003B20000-0x0000000003B4C000-memory.dmp

Filesize
176KB

Download
memory/3948-285-0x0000000000000000-mapping.dmp

Download
memory/4020-263-0x00000000008B0000-0x00000000008EA000-memory.dmp

Filesize
232KB

Download
memory/4020-262-0x0000000000000000-mapping.dmp

Download
memory/4168-189-0x0000000000000000-mapping.dmp

Download
memory/4208-216-0x0000000000000000-mapping.dmp

Download
memory/4316-280-0x0000000000000000-mapping.dmp

Download
memory/4348-207-0x0000000000000000-mapping.dmp

Download
memory/4376-279-0x0000000000000000-mapping.dmp

Download
memory/4608-291-0x0000000000000000-mapping.dmp

Download
memory/4620-130-0x0000000000000000-mapping.dmp

Download
memory/4668-247-0x0000000000000000-mapping.dmp

Download
memory/4768-246-0x0000000000000000-mapping.dmp

Download
memory/4768-292-0x0000000000000000-mapping.dmp

Download
memory/4768-293-0x0000000000570000-0x00000000005AA000-memory.dmp

Filesize
232KB

Download
memory/4868-286-0x0000000000000000-mapping.dmp

Download
memory/4868-287-0x0000000000F30000-0x0000000000F6A000-memory.dmp

Filesize
232KB

Download
memory/4952-232-0x0000000000000000-mapping.dmp

Download
memory/4956-199-0x0000000000000000-mapping.dmp

Download
memory/5060-138-0x0000000000000000-mapping.dmp

Download